the role of internal audit in bcp · dan bailey, mbcp senior manager ... • evaluate the bcp/drp...
TRANSCRIPT
Page 0© 2005 Protiviti Inc.
The Role of Internal AuditIn Business Continuity Planning
Dan Bailey, MBCP
Page 1© 2005 Protiviti Inc.
Dan Bailey, MBCPSenior Manager Protiviti [email protected]
• Actively involved in the Information Technology industry since 1984• Actively involved in the Business Continuity industry since 1991• Received CBCP designation in 1999; MBCP designation in 2002• Co-Founder of the Arkansas chapter of the Association of Contingency
Planners• 2002 President of the North Texas chapter of the Association of
Contingency Planners• 2003-2005 DRI International Certification Commissioner• 2006-2008 DRI International Vice-Chair of the newly established Education
Commission
Introduction
Page 2© 2005 Protiviti Inc.
Agenda
• Establishing A Framework• Internal Audit – Adding Value to the BCP
Process• Information Available to the Internal Auditor• Proven Approaches to Conducting a BCP Audit• SOX Section 404?• Wrap-up and Summary
“By 2008, we believe more than 50% of the G2000 will have robust and tested BC plans, with the remainder attempting to enhance their capabilities beyond rudimentary BC and disaster recovery through 2012.” - META Group (February 2003)
Page 3© 2005 Protiviti Inc.
Section I
Establishing A Framework
Page 4© 2005 Protiviti Inc.
BCM = Crisis Management + Business Resumption Planning + IT Disaster Recovery Planning
…the development of strategies, plans and actions which provide protection or alternative modes of operation for those activities or business processes which, if they were to be interrupted, might otherwise bring about a seriously damaging or potentially fatal loss to the enterprise.
Business Continuity Management Defined
Page 5© 2005 Protiviti Inc.
Components of A Business Continuity Process
• Contract Terms and Conditions with Suppliers
• Customer Service Level Agreements
• Governance Documentation
- Process Accountability
- Recurring Activities
- Documentation Standards
- Strategy Testing- Training &
Awareness- Plan
Maintenance
- Succession plans
• Audit Committee Oversight
• Executive Mgmt Sponsorship
• Business Continuity Coordinator
• Crisis Mgmt Team
• Business Recovery Coordinators
• IT DR Coordinators
• Recovery Teams• Internal Audit
Oversight• Industry /
Governmental Oversight
• Risk Assessment Conclusions (Likelihood and Vulnerability)
• Business Impact Analysis Conclusions (Recovery Objectives)
• Strategy Design Options
• Strategy Cost-Benefit Analysis
• Strategy Test Results
• Diagnostic and Benchmarking Conclusions
• Business Continuity Governance Design and Data Gathering
• Risk Assessment
• Business Impact Analysis
• Strategy Design• Plan
Documentation• Plan Validation• Knowledge
Transfer / Implementation
• Documentation Repository
• Plan Documentation Software
• Risk Assessment Conclusions
• Business Impact Analysis Conclusions
• Backup / Replication Software (IT DR Only)
• IT Hardware
• Emergency Response
• Crisis Mgmt• Crisis
Communications• Business
Resumption Planning
• IT DR Planning• Business Impact
Analysis• Risk Assessment• Business
Continuity Strategy Testing
• Training & Awareness
• Supplier Risk Mgmt
Business Strategies &
Policies
Business & Risk
Management Processes
People & Organizational
Structure
Management Reports Methodologies Systems & Data
Page 6© 2005 Protiviti Inc.
The Continuity Life Cycle
Risk Assessment
Business ImpactAnalysis
Business Continuity Strategy Design
Project InitiationAnd Management
Solutions Deployment
Compliance Monitoring& Auditing
Training & AwarenessPrograms
Continuity Life Cycle
Solutions Deployment& Plan Documentation
Business ContinuityPlan Testing
• “Typical” Participants in the Planning Process:
– Executive Sponsor– Steering Committee– Business Continuity
Coordinator– Business Process
Owners– Information
Technology– Human Resources– Facilities– Security– EHS– Legal– Corporate
Communications– Risk Management– Internal Audit?
The BCP Maturity Continuum
Defined
Repeatable
Ad Hoc
Business continuity management is a competitive advantage. Management “advertises” the existence of the business continuity process internally and externally with customers. Continuity-related service level agreements, associated with uptime, performance and continuity, are utilized to drive efficiencies internally and build strategic relationships with customers.
Business functions and IT assets supporting the delivery of products and services, as well as customer service, are protected from long-term business interruptions. Customer expectations regarding product and service delivery have been taken into account. Testing and training limitations may result in isolated recovery issues, often taking the form of recovery capacity constraints and missed recovery objectives.
Significant risk of continuity-related impacts are present. Business interruptions, ranging from isolated infrastructure failures through regional events, have the potential to cause serious financial harm and/or reputational impairment. The organization relies on “force majeure” clauses to minimize contractual violations.
Management relies on untested or under-tested continuity-related processes to manage the effects of business interruptions. IT asset recovery is often the most mature aspect of the continuity process, although some organizations emphasize either crisis management or business resumption planning. Employees have limited knowledge regarding their roles during recovery, potentially impacting the likelihood of a successful response effort.
In addition to a customer focus and the desire to minimize financial loss and reputation impairment, management addresses regulatory compliance through the design of solutions with characteristics mandated by industry and governmental organizations. Specific compliance categories include data protection, financial reporting process continuity, strategy testing and plan maintenance processes.
Comprehensive, organization-wide business continuity strategies are aligned with strategic objectives and customer expectations. BCM operates as a core business function, chartered with clear accountability and responsibility. Regular BCP testing and maintenance occurs. Personnel are well trained regarding their roles and responsibilities. Metrics are collected and managed to ensure continuity-related service level agreements are met.
Business continuity strategies address core business functions, information technology assets and supply chain relationships. Management fully supports this effort. The organization’s business continuity management process, to include crisis management, crisis communications, business resumption planning and IT disaster recovery planning, operates as a single function. The BCM process reflects the current business and technology environment.
A formal business continuity strategy has been designed and deployed. A risk assessment has been performed to identify and assess continuity risks. A business impact analysis (BIA) has been performed, but there are no processes to keep it current. Testing is infrequent or fails to address all aspects of the continuity process. Plan maintenance activities have not occurred in over twelve months. Metrics for key BCP tasks require refinement.
The organization’s business continuity strategy addresses crisismanagement, business resumption or IT disaster recovery. Continuity processes are designed and developed separately and lack integration. A high-level risk assessment and/or business impact analysis has been performed. Although some continuity-related processes exist, plan maintenance and testing procedureshave not been implemented.
BCP goals and expectations were derived without a risk assessment or business impact analysis. Business continuity strategies arecharacterized as ad hoc; a formal documented plan does not exist. Business continuity accountability and responsibility remain unassigned. Business continuity testing and training and awareness processes have not been designed. The organization lacks confidence in its ability to survive following a business interruption.
Managed
Optimizing
Characteristics of Capability Method of Achievement
Pro
cess
Mat
urityBCM Capability Maturity Continuum
© 2004 Protiviti Inc.
Page 8© 2005 Protiviti Inc.
Managing Business Continuity
• Finance– Direct Report to CFO– Risk Management / Loss
Prevention • Executive Council
– Legal– Human Resources– Corporate Communications
• Operations– Direct Report to the COO– EHS– Security
• Information Technology• Internal Audit
Eff e
ctiv
ene s
s
Page 9© 2005 Protiviti Inc.
Section II
Internal Audit – AddingValue to the BCP Process
Page 10© 2005 Protiviti Inc.
� Asked if a plan was in place
� Reviewed the (IT Disaster Recovery) plan for currency, if they were truly IT Auditors
� Asked if tests were performed; didn’t review the results
� Occasionally owned the BCP process!
In the Past, The Internal Auditor…
Page 11© 2005 Protiviti Inc.
The Continuity Life Cycle - Revisited
Risk Assessment
Business ImpactAnalysis
Business Continuity Strategy Design
Project InitiationAnd Management
Solutions Deployment
Compliance Monitoring& Auditing
Training & AwarenessPrograms
Continuity Life Cycle
Solutions Deployment& Plan Documentation
Business ContinuityPlan Testing
• Ways In Which the Internal Auditor Can Add Value to the BCP Process:
– Keeping Management Informed on Progress Toward BCM Development and Implementation
– The Internal Sales Person – Making the Case for Business Continuity
• Participation in the Risk Assessment and Business Impact Analysis
– Defining Key Business Functions By Assisting with the BIA
– Defining Key Controls and Guide Toward a Process, not a Plan
– Project Management Standards– Help Craft Maturity Levels and
Definitions– Audit the BCP Process – Initially and
in the Future
Page 12© 2005 Protiviti Inc.
Section III
Information Available to theInternal Auditor
Page 13© 2005 Protiviti Inc.
Guidance from the IIA – www.theiia.org
BusinessContinuityManagement
• Auditors should evaluate business continuity readiness • Internal audit should assess the organization's
business continuity process on a regular basis –provide preparedness summary to senior management
• Internal auditors can play a role in the organization’s planning, to include the risk assessment
– Internal audit activity can help with an assessment of an organization's internal and external environment
• Evaluate the BCP/DRP during formulation– Internal auditors have a thorough understanding
of the business, the individual functions and interdependent relationships
Practice Advisory 2110-2: Internal Audit’s Role in the Business Continuity Process
Page 14© 2005 Protiviti Inc.
Guidance from the IIA (cont.)
BusinessContinuityManagement
• Review the proposed business continuity and disaster recovery plans for design, completeness, and overall adequacy
• During that recovery period:– Internal audit should monitor the effectiveness of
the recovery and control of operations– Recommend improvements to the BCP– Internal audit can also provide support during the
recovery activities– internal auditors can assist in identifying the
lessons learned from the disaster and the recovery operations
• Periodically audit the organization's BCPs/DRPs– Adequacy to ensure the timely resumption of
operations and processes after adverse circumstances
– Reflects the current business operating environment
Practice Advisory 2110-2: Internal Audit’s Role in the Business Continuity Process
Page 15© 2005 Protiviti Inc.
Guidance from the IIA (cont.)
BusinessContinuityManagement
• During the audit, Internal Audit should consider:
– Are all plans up to date?– Are all critical business functions and systems
covered?– Are the plans based on the risks and potential
consequences of business interruptions?– Are the plans fully documented?– Have functional responsibilities been assigned?– Is the organization capable of and prepared to
implement the plans?– Are the plans tested and revised based on the
results?– Are the plans stored properly and safely? Is the
storage location known?– Are the locations of alternate facilities (backup
sites) known to employees?– Do the plans call for coordination with local
emergency services?
Practice Advisory 2110-2: Internal Audit’s Role in the Business Continuity Process
Page 16© 2005 Protiviti Inc.
• Standards and Guidelines– COBIT– FFIEC– NIST– ISO 9000 & 14000, QS 9000– ISO 17799– NFPA 1600– DRI International– BCI PAS 56– ITIL– Homeland Security– COSO
Regulations and Standards
• Regulatory Requirements– Sarbanes Oxley (Governance)– FEMA– FERC– JCAHO– HIPAA– GLBA– FFIEC (Updated)– OSHA– SEC– NYSE / NASD– State Insurance Departments– USA PATRIOT Act– IRS– Australian/New Zealand Standard
AS/NZS 4360:1999– California 1386– BASEL II– Public Utility Commissions– FCC
Page 17© 2005 Protiviti Inc.
Section IV
Proven Approaches toConducting a BCP Audit
Page 18© 2005 Protiviti Inc.
• Provide Management Assurance• Identify Control Gaps• Regulatory Compliance• Identify Actions to Enhance Maturity• Ensure Business Process Owners are Accountable
for Their Plans and Testing
Why Conduct a BCP Audit?
BusinessContinuityManagement
Page 19© 2005 Protiviti Inc.
• Work in a Collaborative Manner (Advise/Teach)• Understand the History of BCP, Management
Objectives and the Level of Maturity Up Front• Understand the Scope of Business Continuity• Approach From a Process Perspective, as Opposed to
a Documentation Review– Look for and assess key success factors such as
repeatability, extensibility and maintainability• Focus on the Entire BCM Life-cycle, Ranging from
Standards Assessments Through Plan Testing• Brainstorm Ideas for Improvement – Engage the
Business Continuity Coordinator
A Proven Practice BCP Audit Approach
Page 20© 2005 Protiviti Inc.
• Evaluate the Following:– Standards, Policies and Procedures– Relationships with External Agencies
and Authorities– Training and Awareness Materials – Budgetary Documentation– Documented plans– Recovery Location / Hot-site Contracts– Test Results– Service Level Agreements– Regulatory Requirements– Supply Chain / Vendors– Network
Executing A Process Oriented BCP Audit
• A Comprehensive Business Continuity Management Process Includes:
– Crisis Management– Crisis Communications– Business Resumption Planning– IT Disaster Recovery Planning
Page 21© 2005 Protiviti Inc.
The Assessment Approach
• The Approach– Confirm Assessment Expectations / Collect Business Requirements– Evaluate the Business Continuity Process
• Process Management• Risk Assessment and Business Impact Analysis• Define Recovery Strategies and Business Continuity Procedures• Training and Awareness, Plan Testing Process, Auditing and Plan
Maintenance– Collect Benchmarking Data to Reinforce Findings– Validate, Present and Report
Page 22© 2005 Protiviti Inc.
• Nothing Reinforces a Recommendation Like Benchmarking Data– Same Industry– Same Size Company
• We maintain information in the following areas:– BCM Process Description and Scope– Who Owns the BCM Process– Budgetary Data– Number of Personnel Addressing Business Continuity– Recovery Objectives (Business and IT)
• Benchmarking Data Is Available Through Third-party Specialists, Vendors and Informal Contacts (Like This Session)
Industry Benchmarking Data
Page 23© 2005 Protiviti Inc.
• In addition to a review of documentation, we recommend discussions with Business Continuity Management owners, as well as the Business Process owners whom they support (In order to better understand their expectations)
Participants in the BCP Audit
BusinessContinuityManagement
Page 24© 2005 Protiviti Inc.
Presenting the Findings
BusinessContinuityManagement
• Reinforce Scope and Focus• Focus on Process Maturity• Highlight Strengths and Weaknesses
– Tie Findings to Business Impact, to Include Regulatory Compliance
• Provide Action Items and Recommend Points of Contact for Each
• Offer to Track Completion of Each Finding / Action Item
• Next Steps – What Will Next Year’s Audit Focus On?
Page 25© 2005 Protiviti Inc.
Section V
Sarbanes Oxley?
Page 26© 2005 Protiviti Inc.
Internal Audit and SOX Section 404?
• Section 404 had become a driver for conducting some audits• Standard may change audit priority• Business continuity will remain a key business issue – regardless of Section 404
scope
“Furthermore, management’s plans that could potentially affect financial reporting in future periods are not controls. For example, a company’s business continuity or contingency planning has no effect on the company’s current abilities to initiate, authorize, record, process, or report financial data. Therefore, a company’s business continuity or contingency planning is not part of internal control over financial reporting.”
PCAOB Release No. 2004-001, March 9, 2004
Page 27© 2005 Protiviti Inc.
Section V
Presentation Summary
Page 28© 2005 Protiviti Inc.
Wrap-up and Summary
BusinessContinuityManagement
• Establishing A Framework– What is Business Continuity?– Components of a Business Continuity Process– The Business Continuity Life Cycle– The BCP Maturity Continuum
• Internal Audit – Adding Value to the BCP Process– In the Past– Today: Revisiting the Continuity Life Cycle
• Information Available to the Internal Auditor– Regulations and Standards
• Proven Approaches to Conducting a BCP Audit– Why Conduct An Audit?– Proven Practice Audit Approaches – Executing A Process Oriented BCP Audit– Participants in the BCP Audit– Industry Benchmarking– Presenting Findings
• Wrap-up and Summary
Page 29© 2005 Protiviti Inc.
Questions & Answers
Page 30© 2005 Protiviti Inc.
Dan Bailey, MBCPProtiviti Inc.
Senior ManagerNational Leadership Team - Business Continuity Management Services
[email protected] (office)214.207.4543 (mobile)
Contact Information